HTML5 APIs Fingerprint Users - How to Prevent

Wednesday, March 23, 2016

firefoxchromeoperahtml5fingerprintprivacy

The word fingerprinting comes from the forensic analysis of a human hand. These fingerprints are considered markers of human identity as they’re not easy to alter and are durable over the lifetime of an individual. These characteristics make them suitable markers for human identity. In similar fashion, our computers and multimedia devices can be identified and tracked by websites we access on these devices.

Before we divulge into the details of how device fingerprinting works, let us revise some old concepts about the working of internet. Internet wouldn’t have been such a global phenomenon if there was no standardization and a website which appeared perfectly on one computer looked a random mesh of images and text on another. To avoid such a scenario, we have an internet body which develops standards to ensure the universality of content on the internet. Worldwide Web Consortium (W3C) is the name of this body and the latest iteration of markup language, recommended by W3C, used for structuring and presenting content on the internet is HTML5. The APIs of HTML5 are a set of routines, protocols and tools to create applications, websites in our case.

Now that we’ve brushed up on our basics, let’s figure out how these APIs are used to identify us but before we do that, we must realize that these APIs were actually developed to enhance the interaction of user with web applications and games etc. The HTML5 APIs are exploited to calculate a device’s fingerprint as, in order to allow these new features and capabilities, the browser allows the web applications a wider access to the system resources. HTML5 has brought high level JavaScript APIs that is basically an overlay on top of system APIs with is unified across different operation systems without the need to install any third party plug-ins. This more permissive access to the device’s hardware allows a website to fingerprint a device based on its hardware features because of which it is possible to identify a user even if he disables cookies.

There are many factors which are exploited to fingerprint a user’s device, some of these are the obvious ones but many are things which the average user does not realize that they can be used to identify and track his device. Here’s a list of some of those major factors:

IP address

Cookies

Language

Time zone

HTTP headers (User agent, referrer, etc.)

HTML5 APIs (WebRTC, Battery API, etc.)

HTML5 and CSS3 features detection

CSS media queries

WebGL

Browser plug-ins (Flash, Silverlight, Java, etc.)

Browser add-ons

Browser options (Do-Not-Track etc.)

Browser storage

System fonts

TLS/SSL Session IDs

Hardware detection (Camera, Mic, Touch screen, etc.)

Screen (resolution, color depth, pixel density, etc.)

Audio and video codecs

Accessibility features

Now that we’ve mentioned some of the main culprits, we shall now see how these factors help in the fingerprinting of our devices and what the precautions we can take to not become a victim of this.

Client side JavaScript

In web development, it is the browser in user’s machine that runs the code and it is mostly done in JavaScript, it is in addition to CSS and basic HTML code. This code can be run to identify most parameters of your browser. To effectively block scripts, we can either disable JavaScript globally in Firefox and Chrome or use add-ons such as Policy Control to allow only scripts from trusted resources.

Canvas

Canvas is a stealthy, almost unstoppable, technique. When a browser visits a webpage with a canvas fingerprinting script enabled, it is instructed to draw a hidden graphic which gets converted to a token. The uniqueness of this token depends on many factors including browser, operating system, graphics hardware etc. To avoid Canvas fingerprinting, you can either disable JavaScript globally, or use an extension that blocks or alters JS access of the Canvas element.

Battery Status API

According to researches, Battery Status API is able to determine current battery level, time required for the device to fully charge again as well as time left for the device to be fully discharged. All this data combined together adds up to a unique number to identify an individual device, potentially allowing the tracking of activities on the web.

WebRTC

WebRTC stand for Web Real-Time-Communications. This API was developed to support browser to browser applications for voice calling, video chatting and P2P file sharing without the need for plug-ins. As the nature of this API tells us that it has access to our camera, microphone and browser data, it becomes very easy to identify the device by exploiting a single API. In order to avoid WebRTC leaks, in Firefox use Privacy Settings extension. On Chrome, install WebRTC Leak Prevent add-on.

Resource Timing

The “Resource Timing” interfaces is basically a set of APIs to retrieve and analyze timing details used on network for an application to load all web resources. It enables websites to measure user latency. Using the Resource Timing API allows us to retrieve and analyze a detailed profile of all the network timing data for every resource on the page.
If you use Firefox you can disable this API by installing Privacy Settings add-on and setting the values of dom.enable_resource_timing , dom.enable_user_timing and dom.performance.enable_user_timing_logging as false. On Chrome browser at this point the only way to disable resource timing is to disable JavaScript execution entirely.

Geolocation

It can reveal your physical location and compromise your privacy. Modern browsers always ask permission to reveal geo location to websites and apps requesting it though.

On Firefox browser to disable geo location access permanetly, you can install Privacy Settings add-on. After installation, in the panel, look for geo.enabled value and set it to false (disabled). On Chrome go to “Settings”, then “Show advanced settings”, find “Privacy” block and click on “Content settings”, in this window look for “Location” and select the option “Do not allow any site to track your physical location”.